Jade E. Deane wrote:
Drew,
You're not seeing things. I would say you can thank W32/Sobig.F-mm,
referenced in http://news.com.com/2100-1002_3-5065494.html.
I'd like to point out that this variant is the most aggressive yet of
the Sobig family. However, I think this aggressiveness is possibly a
Crist Clark wrote:
Some news outlets are reporting this is actually Microsoft's plan,
http://zdnet.com.com/2100-1105_2-5064433.html
I'm sure Microsoft is aware that many networks are severly pissed off
about the extra overhead they are enduring because of this worm. I think
my helpdesk said,
Crist Clark wrote:
To pound it home one more time, worms that attack Microsoft products are a
bigger deal only because Microsoft has at least an order of magnitude greater
installbase than the nearest competitor.
True. I'd be curious to see the worm to software vendor ratios. Anyone
have them?
McBurnett, Jim wrote:
But doesn't that mean the hacker won?
If you change the DNS and a user can not get to
windowsupdate, you just helped him create a better
DoS than he had...
I have no affiliation with Microsoft, nor do I care about their services
or products. What I do care about is a worm
Gerald wrote:
We all hedged bets that Cisco was going to absorb the CSS and just make it
a software feature on the Catalyst switches. I haven't heard of that
actually happening yet though.
No, but there is some interesting new functionality in the latest revs
of IOS which look awefully
I'm showing signs of an RPC sweep across one of my networks that's
killing some XP machines (only XP confirmed). How wide spread is this at
this time. Also, does anyone know if this is just generating a DOS
symptom or if I should be looking for backdoors in these client systems?
-Jack
[EMAIL PROTECTED] wrote:
If the client is behind a NAT, and the spoofed source address doesn't get
through, then that's OK because it means that no application in that same
location behind the NAT can use spoofed addresses.
Which is important given the number of NAT setups that only perform NAT
John Neiberger wrote:
Hmm...I didn't even know XP had a built-in firewall. Any bets on how
long it is before other companies with software firewall products bring
suit against Microsoft for bundling a firewall in the OS?
--
No clue, but I can tell you how long it will last before ISP helpdesks
Christopher L. Morrow wrote:
If people want to use the network they need to take the responsibility and
patch their systems. Blocking should really only be considered in very
extreme circumstances when your network is being affected by the problem,
or if the overall threat is such that a short
Mans Nilsson wrote:
Your chosen path is a down-turning spiral of kludgey dependencies,
where a host is secure only on some nets, and some nets can't cope
with the load of all administrative filters (some routers tend to
take port-specific filters into slow-path). That way lies madness.
Secure?
Jim Shankland wrote:
On the not so bright side, I'm getting a steady stream of port 135
SYNs from my fellow Comcast customers (i.e., presumably on my side
of Comcast's filters), which may mean the horses have mostly already
left the barn.
You'll see a lot of this. Establishing blocks in the local
Christopher L. Morrow wrote:
So, if in YOUR network you want to do this blocking, go right ahead, but I
wouldn't expect anyone else to follow suit unless they already determined
there was a good reason for themselves to follow suit. As an aside, a day
or so of 5 minutely reboots teaches even the
Sean Donelan wrote:
http://isc.sans.org/diary.html?date=2003-08-11
The worm uses the RPC DCOM vulnerability to propagate. One it finds a
vulnerable system, it will spawn a shell and use it to download the actual
worm via tftp.
The name of the binary is msblast.exe. It is packed with UPX and will
Sean Donelan wrote:
http://computerworld.co.nz/webhome.nsf/UNID/BEC6DE12EC6AE16ECC256D8000192BF7!opendocument
While some end users are calling for ISPs to block certain ports relating
to the Microsoft exploit as reported yesterday (Feared RPC worm starts to
spread), most ISPs are reluctant to do
Mark Segal wrote:
I just put an access list on one of our cores with some spare cpu cycles..
And 10% of the traffic looks like port 135 calls. Anyone else see this?
Did I break anything legitimate?
There is legitimate use for 135, although normally it is not used in the
wild much. From what
Randy Bush wrote:
anti-spoofing eliminates certain avenues of attack allowing one to focus
on remaining avenues, and hence (as Vix stated) is necessary but not
sufficient.
it turns 1% of the technical problem into a massive social business
problem which, even if it was solvable (which it
Mans Nilsson wrote:
* If you block and interfere, you are responsible for what your
customer does. You Do Not Want That.
Depends on why you block and interfere. Intention plays a large part
according to law. In this case, it's to protect the network
infrastructure from a high probability
[EMAIL PROTECTED] wrote:
Rebooting the Internet once a month might prevent future problems.
Power off, count to ten, then restart...Proactive Management!?
Not a problem. At what time shall we reboot it? I was thinking late at
night.
-Jack
McBurnett, Jim wrote:
if *all* dsl and cablemodem plants firewalled inbound SYN packets and/or
only permitted inbound UDP in direct response to prior valid outbound UDP,
would rob really have seen a ~140Khost botnet this year?
In a sense, I would agree with you. The best method for what you
Vadim Antonov wrote:
On Thu, 31 Jul 2003, Petri Helenius wrote:
What we need is a new programming paradigm, capable of actually producing
secure (and, yes, reliable) software. C and its progeny (and program
now, test never lifestyle) must go. I'm afraid it'll take laws which
would actually
Ben Buxton wrote:
In europe, when any consumer gets a net connection it's sold as
a pipe to do anything you want with (as long as it abides by laws
and netiquette.
It seems that this silly restrictive mentality will remain even with
ipv6...
In the US, the pipe is limited in any number of ways in
Vadim Antonov wrote:
Lack of real strong typing, built-in var-size strings (so the compiler can
actually optimize string ops) and uncontrollable pointer operations is
enough to guarantee that any complicated program will have buffer-overflow
vulnerabilities.
Typing can be enforced if the
Sean Donelan wrote:
free/cheap software firewalls that
are easy and effective to use.
And breaks all kinds of nifty things which ISP has to pay for via
helpdesk support.
-Jack
David G. Andersen wrote:
b) Why do you pay less for a flight with a saturday night stopover?
- Market segmentation. People with static addresses usually
want to do things like run servers, and are probably willing to
pay for the privilege.
And by paying for it, they subsidize the
[EMAIL PROTECTED] wrote:
In other words - yeah, it's probably important to get this update deployed. But
unless somebody has hard evidence to the contrary, I'm betting on it just being
an attempt to not let things leak out till they're ready to ship across the
board. That's a LOT of trains and
Sean Donelan wrote:
Cisco stated if they receive any reports of the exploit in the wild,
they will re-issue the advisory with the updated information.
Sendmail root exploit took less than 24 hours to craft. I suspect that
this exploit will be found within 48 hours. Enough information was
Scott Call wrote:
For example, 12.0S users are recommended to go to 12.0(25)S, which at
least for the GSR is dated April 14, 2003.
Do I have the right build of 12.0(25)S or will there be one with a date
closer to the revelation of the exploit showing up on the cisco FTP site?
I think that's a
Henry Linneweh wrote:
I simply would like to borrow this /24 if you are not going to use in
the near and distant future or ever for that matter.
It can not be attached to any subdomain and or any or part of any
routing table,
this would most helpful in the development of methods to prevent
Daniel Karrenberg wrote:
If you tell us what limits you want removed we may work on that!
Sounds like below as if you are working on it.
We are definitely working towards making the results generally
available; see http://www.ripe.net/ripe/docs/ripe-271.html for details
of that proposal. So
[EMAIL PROTECTED] wrote:
However we can work to spread out the infrastructure more so that it is
harder for terrorists to find a single point of failure to attack. If they
have to coordinate an attack on 3 or 4 locations, there is an increased
probability that something will go wrong (as on
Matt Levine wrote:
Gomez seems to be trying to do this, with a monetary incentive:
http://www.porivo.com/peernetwork/jsp/index.jsp
Test is narrowed to webserver performance and is limited in the actual
test methods. From what I can tell, it says nothing about network
performance except in the
Joel Jaeggli wrote:
The part that's striking to me, is that as usual, the folks in the
industry don't know when their facilities are co-mingled, in part becuase
that information simply isn't readily and easily available unless
someone's willing to go out collect the small little bits and connect
Mark Allman wrote:
Folks-
I sent the following note out the Internet Measurement Research
Group (of the IRTF) mailing list last week. I'd love to hear from
operations folk on these sorts of question... i.e., what would you
love to be able to measure that you can't do terribly effectivly
Paul Vixie wrote:
no. a battle was held, but we didn't even show up. now the world is different.
And a war isn't over until one side surrenders or is eradicated.
-Jack
E.B. Dreger wrote:
SL Date: Mon, 7 Jul 2003 19:47:53 +0100
SL From: Simon Lockhart
SL As predominantly a content hoster, I'd love to know more about the path
SL between my servers and the end user. Stuff like how much bandwidth is
SL available (or, potentially available, to remove the congestion
Andy Dills wrote:
Yes, but the original poster was dealing with DS3s connected to different
NAPs, which is why the packet out-of-order issue can be significant.
I'd say that a more significant issue is customer throughput. The nice
aspect of per conn is that it not only tends to keep a decent
Anne P. Mitchell, Esq. wrote:
That query configuration in SpamAssassin was incorrect, and has been fixed
in 2.60. While I apologize that it caused you an inconvenience, it was in fact
set up like that without our knowledge. It was querying the HIL even if
there were no Habeas headers present
Christopher L. Morrow wrote:
This is what our, atleast, abuse team calls 'fantasy mail'. There is a fix
for it, port 25 in and out filtering for radius customers. The 'problem'
as I understand it, is that the change would be a contract change so it
has to wait for expiration of said contract to
Andy Dills wrote:
How do you get your mail delivery attempts to occur so linearly? :)
I think something's busted with your mrtg script...
Depends on which stats he wants. He's showing the total since midnight
in the graph instead of the count since the last run.
-Jack
Miles Fidelman wrote:
Since a lot of the arguments about spam hinge on the various costs it
imposes on ISPs, it seems like it would be a good thing to get a handle on
quantitative data.
While there is a cost to ISPs reguarding spam, the highest cost is still
on the recipient. End User's who are
Petri Helenius wrote:
IsnĀ“t highlight and hit delete exactly what has been implemented since
Mozilla 1.3 and works with almost perfect accuracy after you give it a few
dozen messages to build up the good and bad database with?
Actually, I find that 1.3 and 1.4 still have issues with determining
Paul Vixie wrote:
text based is not what i'd require. professional grade is the right term.
that can be anything from xmh to eudora as long as it was written to stand
up to the worst the internet is capable of delivering to it. text based is
my own preferred crutch but you don't need text based
Andy Dills wrote:
What sorts of 'unique' routing policies justify an ASN?
ISP has a corporate customer that decides to multi-home. While ISP is
not multi-homed themselves, they must have an ASN to speak BGP and pass
routing information between their corporate customer and their provider.
So
Eric Anderson wrote:
Is this showing up as an issue for anyone? All I'm looking at is an MSNBC
story which gives me the impression that it's a pretty low-bandwidth deal. It
sounds like it requires intervention by the end user (or a system reboot) to
activate it, so the propagation rate ought to
Dominic J. Eidson wrote:
I'm having a feeling that someone harvested a bunch of adresses, possibly
from NANOG, and is using them as the sender address in pretend-to-be KLEZ
spams.. I have received several bounces lately, several of them appearing
to be KLEZ, all with me as the original sender -
[EMAIL PROTECTED] wrote:
I just received 2 copies of this email from AOL's Postmaster, and it looks
genuine. We filter via SpamAssassin, but do not bounce spam or virii, but
divert them to separate folders.
2) Total percentage of bounces accepted by pil.net (lower than 90% acceptance): 74%
I
[EMAIL PROTECTED] wrote:
I and a number of coworkers are getting similar bounces, except the
spammers are actually using our full email addresses as the from address.
The first few cases of this, I wrote off to things like KLEZ...but
recently I've gotten actual spam bounces where my work email
[EMAIL PROTECTED] wrote:
for most sites I've seen, the 19 rack is too small
for the monster array. they tend to use 23 racks
and place the batts at the bottom - generally 3-6 hour
runtime.
Yeah. A lot of the remote hardened equipment runs off small battery
Mr. James W. Laferriere wrote:
Hello Charles All , Love all of you that want to filter ,
Please do I would bo one of those that you'd filter . I've been
running my little home netowrk for ~8 years using dialup , isdn ,
adsl , cable . Never could get any
Mr. James W. Laferriere wrote:
snip
White listing is NOT what was being discussed . Tho is can be
adventagous in the right circumstances .
snip
And neither was Static addressing . Filtering was being discussed
based on some unknown (to me probably others as well)
David Lesher wrote:
Your escalation route goes to the OSD-CIO (Office of Secretary
Defense) in the 5-sided building. That was Art Money's office but
I don't know if he's still there. I'd cc: the Inspector General
for whichever branch as well...and the FTC.
In other words, when one can't get a
Dan Hollis wrote:
ok, what UPSes do telcos use (besides their monster battery arrays)
What's wrong with our monster battery arrays?
-Jack
nicholas harteau wrote:
We run a configuration similar to this, except we do failure per-row
with one APC Symmetra supporting between 3 and 6 cabinets, depending on
the projected load. In the past 2.5(?) years, we've had one controller
failure that did not cause an outage. All the batteries are
to and from the newer networks. Current damage estimates are rather
small, although sometimes a pain to troubleshoot. I recommend running
backup MX servers and DNS servers outside of the new address space to
limit the ammount of inbound problems.
Jack Bates
BrightNet Oklahoma
Matthew S. Hallacy wrote:
How was this traffic causing harm to your network? I'd rather have them
dealing with people actively breaking into systems, DoS'ing, etc than
terminating some customer who's probably infected with the latest
microsoft worm.
Worm control is important. If we let them run
Joe wrote:
So as not to cluter up the list, I've posted the response/thread
of email I received regarding this, complete with the explaination
so to speak. I don't buy it, but perhaps I'm missing something.
http://www.rocknyou.com/nanogspam.html
I was surprised to get a response none the less.
In
Scott Francis wrote:
Comments?
(Nice to see Mr. Bellovin keeping up the holiday tradition ... :))
Yep.
Fragments that by themselves are dangerous MUST have the evil bit
set. If a packet with the evil bit set is fragmented by an
intermediate router and the fragments themselves are not
Owen DeLong wrote:
Hmmm Must be 4/1 again.
Owen
Well, you weren't taking it seriously, I hope. lol
-Jack
The entire thread is more entertaining than just the one post. I
particularly like the mention of a cert advisory soon to be released.
Although I do agree with the one poster on the thread that did make
mention of the fact that doing a cvs commit is going a little far. If
the commit was made
Peter Galbavy wrote:
Er, isn't that the fundamental difference between IP and fixed-bandwidth
voice ? I have spent any number of years trying to 'educate' old guard telco
management and planners that one of the key economic benefits of the
Internet over old fashioned private networks is that the
Richard A Steenbergen wrote:
Get some QoS for the p2p traffic and stop complaining. One moment everyone
is begging for the killer app to motivate high-speed residential
connectivity, the next they're pissing and moaning because it actually
happened.
Actually, I think it was all the people going
Dan Hollis wrote:
They dont need to adjust their pricing, they just need to lobby for new
laws to protect their flawed business models. Oh wait, they just did that.
IANAL, but the laws won't last. If they are enforced, the courts will
overturn them. The exceptions are the mods for console game
Stephen Sprunk wrote:
Okay, I'll admit filtering DoS will probably survive given it's a problem
for the carrier, not just the customer. But my original point is that as
long as ISPs do not examine the contents of a customer's packets, they
cannot be held liable for what's in them. Content
Dan Hollis wrote:
On Mon, 31 Mar 2003, Jack Bates wrote:
On the other hand, an ISP that *is* aware of illegal activity would be
negligent not to look into it.
How about the tier1's who route abuse@ to /dev/null? IMHO they are
negligent and should be held liable...
I completely agree
Mike Lyon wrote:
Ahh! But you see it ain't all you can eat or rather, use as much
bandwidth as you want as we don't throttle you at all. I recently signed
up for Comcast and had it installed. I get some really nice download
speeds, would be surprised if the download has a cap on it. However,
Jamie Lawrence wrote:
There has grown up in the minds of certain groups in this country the
notion that because a man or a corporation has made a profit out of the
public for a number of years, the government and the courts are charged
with the duty of guaranteeing such profit in the future, even
Larry J. Blunk wrote:
I'm not trying to justify allowing the use of NAT where it is
prohibited by a terms of service agreement and thus grounds for
termination of service. However, going beyond termination of
service and making this an illegal act under law (possibly
punishable by a felony
todd glassey wrote:
Actually I proposed that NANOG also consider several
splinter lists. Including one concerned with the Legal
Issues with operating network services, and since there are
jail terms being talked about I suggest that these are now
sub-organizations who's time as come.
I completely
Jamie Lawrence wrote:
Perhaps we'll have to agree to disagree, if you think those where good
laws.
I don't necessarily think they are good laws. What it comes down to is
this. A person will do whatever they think they can get away with if the
punishment is only losing their service. I personally
Rafi Sadowsky wrote:
Whats wrong with the nanog-offtopic list ?
The legal issues are technical on-topic and nanog related. However,
there are some that want to know what's going on in the legal system,
and others that don't. At the same time, those wanting to keep track of
legal issues may
Dan Hollis wrote:
Since when should breaking an ISP's TOS incur a heavier prison term than a
guy who beats his wife?
And like wife beating, I'm sure that people will still break the ISP's TOS.
-Jack
Dan Hollis wrote:
Using the law to defend deceptive business practices. Makes perfect sense.
It's either that or start charging the customer's what it really costs.
They've been so happy to get away from that. Large networks have cut
their rates based on oversell so that mid-sized networks
specifically what can and cannot be done with the service. As most
existing contracts show that this is not the case, there is room for the
service providers to abuse this Act in their favor.
Jack Bates
Network Engineer
BrightNet Oklahoma
Steven M. Bellovin wrote:
but there may be session state -- it's bill HB 2121) only criminalizes the
conduct if it's done with intent to harm or defraud a communications
service provider. Now, given the anti-NAT and anti-VPN tendencies of some
broadband ISPs, I'm not necessarily thrilled, but
[EMAIL PROTECTED] wrote:
If you're going to use a dnsbl, anybody's dnsbl, figure out how to
whitelist first (or real soon after), because this sort of thing will
happen from time to time.
Or learn how to tell people that spam is evil and under no circumstances
will you accept spam from a
than it can switch.
--
Jack Bates
Network Engineer
BrightNet Oklahoma
Christopher Bird wrote:
I have zone alarm, an SMC Barricade firewall, and Norton anti virus.
Ahhh, but do you have Ad-Aware?
--
-Jack
Deepak Jain wrote:
Seems like a pretty steep step between Orange and Red.
Are other states taking this position?
I hope Oklahoma doesn't (highly doubtful). I'd be ordered to the CO and
forced to stay there and make sure the network kept running. no
transportation != no work.
--
-Jack
Hmmm. Would have thought turning off a nanog subscription would be
considered on the list of things to do when closing an email account.
[EMAIL PROTECTED] wrote:
Your message to the National Science Foundation is being returned to
you because the address (sgoldste) is no longer valid. A copy
[EMAIL PROTECTED] wrote:
-- Forwarded message --
Date: Sun, 16 Mar 2003 12:56:30 -0500
From: W. Mark Herrick, Jr. [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: Re: Your NANOG post
That being said, we have, and will continue to have, a severe issue
with so-called
From: William Allen Simpson
After sending an email to a friend at a RoadRunner address, I see this in
my web access log:
24.30.199.228 - - [13/Mar/2003:15:11:25 -0500] CONNECT security.rr.com:25
HTTP/1.0 404 535
Basically, RoadRunner tried to spam themselves using my server. I mailed
From: [EMAIL PROTECTED]
I suspect we've gotten to the point now that there are more open proxies
than open relays on the net, and it seems the proxies are more heavily
abused.
Perhaps it is because trojans and worms aren't setup to install open relays
but to install open proxies. Proxies
Unless useful to others, feel free to just reply off-list.
Background:
Tuesday (yesterday) morning around 1am, I got a phone call from one of my
transit customers(which seems more like a dream). I, sadly, didn't have the
router they are on logging to a server, so it's impossible for me to see
Post Hopping:
From: Avleen Vig
No offense Lee, but OH MY GOD, can we *PLEASE* drop this now?
If 69/8 is unreachable by some people, it's REALLY NOT THAT IMPORTANT.
If 10% of the internet cannot reach 69/8, then it's the problem of that
10%. I'm sure when people cannot reach it they'll
From: Iljitsch van Beijnum
Nope. It's per-prefix.
If that is the case then dampening is severely broken, because then a
router that receives a prefix over two paths will lose *both* if _one_
flaps.
Which makes me wonder what happens when one of my BGP peers is flapping and
the other is
From: Vivien M.
I've had the opposite problem (people thinking I'm female, when I'm
not...),
and it can get quite annoying, I agree.
Is this a pick up list? Find the guy or gal of your dreams that can think
too? I figure that you either earn people's respect or admiration or you
don't.
From: Avleen Vig
Let's spin this argument on it's head for a moment and look at it from
another view point:
What you're facing, is opposition from neglegent and / or lazy network
administrators.
Going up against them is always difficult. Believe me, I know.
I consider this the same view.
From: Richard A Steenbergen
Simple, apply a bogon list and then fail to update it. If you are not
ready willing and able to keep your lists updated, you probably shouldn't
have applied them in the first place. I routinely see people doing absurd
things like applying ipfw bogon filters on
From: Michael K. Smith
Check out http://www.cymru.com/Documents/secure-ios-template.html
All of the various Bogons, including unassigned ranges, are represented
with
a route to null0.
Nice, although it doesn't explain the purpose of having the routes if you
have an acl. To keep viruses
From: Simon Brilus
Does anyone have any idea of the processing overhead that would be placed
on
a Cisco 7507 if you applied bogon and anti-spoof filters on a 100BT
interface that faced the Internet, assuming VIP4-80 engines and 256Mb of
memory?
It's not too bad. If it will support
From: Iljitsch van Beijnum
Fortunately, in this particular case there is a solution on the horizon:
S-BGP or soBGP. These BGP extensions authenticate all prefix
announcements, so there is no longer any need to perform bogon filtering
on routing information. uRPF can then be used to filter
From: Iljitsch van Beijnum
I don't see your point. Packets with bogon sources are just one class of
spoofed packets. As I've explained earlier S-BGP or soBGP with uRPF will
get rid of bogons. Neither this or bogon filters on the host will do
anything against non-bogon spoofed packets.
From: Mark Segal
Since most service providers should be thinking about a sink hole network
for security auditing (and backscatter), why not have ONE place where you
advertise all unreachable, or better yet -- a default (ie everything NOT
learned through BGP peers), and just forward the
From: McBurnett, Jim
No seriously..
What if that customer has a VPN design with a dial backup behind their
firewall.
Using BGP to suck down a default route from the provider,
when that default route goes away, then the internal router initiates the
dial
backup solution to the remote
From: Simon Lyall
Could someone publish a name of a valid resource (or even pingable ip) in
69/8 space? This would allow people to test their (and their upsteams)
filters quickly while we wait for the list to come out.
The BrightNet nameservers are both in 69.8.2.0/24 for now.
From: Ray Bellis
Why not persuade ARIN to put whois.arin.net in there instead? It
shouldn't take the people with the broken filters *too* long to figure
out why they can't do IP assignment lookups...
You are presuming that people are doing IP assignment lookups from the
affected network,
From: jlewis
Sent: Monday, March 10, 2003 9:18 PM
I know some writers watch nanog for potential stories. Wake up guys, this
should be one...if not for the news value ARIN gives out unusable IPs,
future of the Net in question, then at least for the public service value
of getting the word
- Original Message -
From: [EMAIL PROTECTED]
To: Jack Bates [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Sent: Sunday, March 09, 2003 12:31 PM
Subject: Re: Question concerning authoritative bodies.
So who do you trust to be objective enough about a centralized registry
of security
From: Valdis.Kletnieks
I'd just *LOVE* to hear how you intend to avoid the same problems that the
crew
from ORBS ran into with one large provider who decided to block their
probes.
Failing to address that scenario will guarantee failure
Run the probes from the DNS root servers. Problem
From: Sean Donelan
So far the Deloder worm appears to be responding to normal congestion
feedback controls, limiting its network impact. Like CodeRed, Nimda, etc
some edge providers may need to implement network controls due to
scanning activities causing cache busting, but I suspect most
101 - 200 of 246 matches
Mail list logo
